Last active
August 16, 2025 06:55
-
-
Save aKamrani/d83d1e103b2da419a219e47d7d92ecbe to your computer and use it in GitHub Desktop.
Docker Rootless (Security Enhanced Mode)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Docker Rootless Install (Security Enhanced Mode) | |
| In this installation we have two security enhancements: | |
| 1- create two dedicated partitions for docker data and volume containers | |
| 2- use a indirect user to access docker container managements | |
| [ Read Comments ] |
Author
Author
Extra Content (just for fast install)
After partitioning script:
** Use this script to install docker rootless only after finished partitions creating and formating **
#bin/bash
adduser appuser
usermod -aG sudo appuser
su appuser
mkdir /home/appuser/bin
mkdir -p /home/appuser/.config/docker
sudo modprobe overlay permit_mounts_in_userns=1
su appuser
echo '{"storage-driver": "fuse-overlayfs", "data-root": "/data"}' >> ~/.config/docker/daemon.json
sudo systemctl disable --now docker.service docker.socket
echo 'export PATH=/usr/bin:$PATH' >> ~/.bashrc
echo 'export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock' >> ~/.bashrc
echo 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' >> ~/.bashrc
echo 'export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus"' >> ~/.bashrc
echo 'Cmnd_Alias DOCKER = /bin/docker' | sudo tee -a /etc/sudoers
echo '%service ALL=(appuser) DOCKER' | sudo tee -a /etc/sudoers
echo 'Defaults env_keep += "DOCKER_HOST"' | sudo tee -a /etc/sudoers
loginctl enable-linger appuser
mkdir -p ~/.config/systemd/user/docker.service.d
echo '[Service]' > ~/.config/systemd/user/docker.service.d/override.conf
echo Environment=\"DOCKERD_ROOTLESS_ROOTLESSKIT_NET=slirp4netns\" >> ~/.config/systemd/user/docker.service.d/override.conf
echo Environment=\"DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns\" >> ~/.config/systemd/user/docker.service.d/override.conf
export XDG_RUNTIME_DIR="/run/user/$(id -u)"
dockerd-rootless-setuptool.sh install
systemctl --user daemon-reload
systemctl --user start docker
systemctl --user enable docker
echo "net.ipv4.ip _unprivileged_port_start=0" | sudo tee /etc/sysctl.d/50-rootless-docker.conf
sudo sysctl --system
USER_ID=$(id -u)
sudo echo "alias docker='sudo -u appuser DOCKER_HOST=unix:///run/user/$USER_ID/docker.sock docker'" > /etc/bash.bashrc
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Docker Rootless Install (Security Enhanced Mode)
In this installation we have two security enhancements:
1- create two dedicated partitions for docker data and volume containers
2- use a indirect user to access docker container managements
Partitions
1- Main Partition is /
2- Docker Partition is /data
3- Container Volumes Partition is /datatank
LVM Partitioning
add two disks in esxi to vm
for each disk do thses commands [/date & /datatank]:
X can be b,c,d - Y can be 1,2,3for /data:
for /datatank:
Install Docker Rootless
create appuser:
This appuser would be used fot managing docker through
Install needed packages
Add needed permissions to created folders
Main Installtion ( Execute line by line - don't copy-paste )
Add this alias to global bashrc to make all users able to run docker cli commands through appuser user:
Disable login for appuser and remove sudo permissions (Security Enhancement)
Enable listening on lower ports in slirp4netns (in Docker rootless only ports above 1024 are available to be listened):
Now you will be able to run
docker psby other users.Restart the system to apply all changes
add and run hello-world image to test if everything works